SECURITY: Escape watched word in error message (#14434)

lib/new_post_manager.rb

@@ -201,10 +201,10 @@ def perform
       result = NewPostResult.new(:created_post, false)
       if matches.size == 1
         key = 'contains_blocked_word'
-        translation_args = { word: matches[0] }
+        translation_args = { word: CGI.escapeHTML(matches[0]) }
       else
         key = 'contains_blocked_words'
-        translation_args = { words: matches.join(', ') }
+        translation_args = { words: CGI.escapeHTML(matches.join(', ')) }
       end
       result.errors.add(:base, I18n.t(key, translation_args))
       return result

lib/validators/watched_words_validator.rb

@@ -5,10 +5,10 @@ def validate_each(record, attribute, value)
     if matches = WordWatcher.new(value).should_block?.presence
       if matches.size == 1
         key = 'contains_blocked_word'
-        translation_args = { word: matches[0] }
+        translation_args = { word: CGI.escapeHTML(matches[0]) }
       else
         key = 'contains_blocked_words'
-        translation_args = { words: matches.join(', ') }
+        translation_args = { words: CGI.escapeHTML(matches.join(', ')) }
       end
       record.errors.add(:base, I18n.t(key, translation_args))
     end

spec/integration/watched_words_spec.rb

@@ -32,6 +32,14 @@ def should_block_post(manager)
       }.to_not change { Post.count }
     end
 
+    it "escapes the blocked word in error message" do
+      block_word = Fabricate(:watched_word, action: WatchedWord.actions[:block], word: "<a>")
+      manager = NewPostManager.new(tl2_user, raw: "Want some #{block_word.word} for cheap?", topic_id: topic.id)
+      result = manager.perform
+      expect(result).to_not be_success
+      expect(result.errors[:base]&.first).to eq(I18n.t('contains_blocked_word', word: "&lt;a&gt;"))
+    end
+
     it "should prevent the post from being created" do
       manager = NewPostManager.new(tl2_user, raw: "Want some #{block_word.word} for cheap?", topic_id: topic.id)
       should_block_post(manager)